PRC Guidelines On Identifying Sensitive Personal Information (2025)

ARTICLE

27 December 2024

MB Mayer Brown

Contributor

PRC Guidelines On Identifying Sensitive Personal Information (1)

Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.

Explore Firm Details

The PRC National Technical Committee 260 on Cybersecurity of SAC ("TC260") published new Guidelines on Identifying Sensitive Personal Information ("Guidelines")...

China Privacy

To print this article, all you need is to be registered or login on Mondaq.com.

The PRC National Technical Committee 260 on Cybersecurity of SAC("TC260") published new Guidelines onIdentifying Sensitive Personal Information("Guidelines")1 on 18September 2024,2 nearly three months after it releasedthe draft guidelines ("DraftGuidelines") for public comment.3

Background

Under the Personal Information Protection Law("PIPL"), data controllers are subjectto more stringent requirements when processing sensitive personalinformation, such as more stringent protective standards, therequirement to obtain separate consent4 and to conductprivacy impact assessment("PIA")5 before processingsensitive personal information. Data controllers processingsensitive personal information shall ensure that there issufficient necessity in doing so, and are also required to informdata subjects of the necessity of processing the sensitive personalinformation and the associated impact on their rights andinterests. Depending on the volume of sensitive personalinformation cumulatively exported by a data controller, therequirement of security assessment may be triggered (see ourprevious Legal Update on China Eases Controls over Cross-Border DataTransfers).

Prior to the issuance of the guidelines, companies collectingand processing sensitive personal information have had to rely onvague definitions and non-exhaustive example lists under the PIPL,which caused uncertainties in respect of compliance requirements interms of formulation of policies and procedures and thecross-border transfer of such data.

The Guidelines

The Guidelines provide detailed identification rules forsensitive personal information, and adopt the definition ofsensitive personal information as set out in the PIPL, i.e.personal information will be regarded as sensitive if itsdisclosure or illegal use will easily result in damage to thedignity of natural persons, or endanger personal safety orproperties.6The Guidelines provide some commonscenarios7 of breach that may often involve sensitivepersonal information:

  • Causing harm to dignity of natural persons:doxing; illegal access to internet accounts; online ortelecommunication fraud; causing harm to personal reputation;discriminatory treatments due to unauthorized disclosure ofinformation such as specific personal identities, religious belief,sexual orientation, specific diseases or health status
  • Endangering safety of human lives:unauthorised disclosure or illegal use of location trackinginformation
  • Endangering safety of properties: unauthoriseddisclosure or illegal use of financial account information

Categories of Sensitive Personal Information

In particular, the Guidelines identify eight common categoriesof sensitive personal information and provide examples for eachcategory in an appendix. While the examples given should assistidentification of sensitive information, they should not be takenas being exhaustive and the focus should be on the "risk ofharm" brought by its unauthorized disclosure or illegal use.Notably, the Guidelines further clarify that some personalinformation may not be identified as sensitive, if there issufficient evidence to prove that the unauthorized disclosure orillegal use of such personal information will not cause harm to thedignity of natural persons, or will not endanger the safety ofhuman lives or properties.8

The eight common categories of sensitive personal informationand some examples in each category are set out asbelow:9

  1. Biometric data: any personal genes, faces,voiceprint, gait, fingerprints, palmprints, eye prints, auricles,iris, etc.
  2. Religious belief information: any personalreligion, religious organisations, positions in religiousorganisations, religious activities, special religious practices,etc.
  3. Specific identity information: any disabilityidentity information, professional identity information that is notsuitable for disclosure, etc.
  4. Medical and health information: 1) any healthstatus information related to an individual's physical ormental injury, illness, disability, risk of illness, or privacy,such as symptoms, past medical history, family medical history,history of infectious diseases, physical examination reports,fertility information, etc.; 2) any personal information collectedand generated in the process of disease prevention, diagnosis,treatment, nursing, rehabilitation and other medical services, suchas medical treatment records (e.g., medical opinions,hospitalization records, medical orders, surgery and anesthesiarecords, nursing records, medication records), inspection andexamination data (e.g., inspection reports, examination reports),etc.
  5. Financial account information: any accountnumbers and passwords of personal bank, securities, funds,insurance, provident fund and other accounts, provident fund jointaccount number, payment account number, bank card track data (orchip equivalent information), payment information generated basedon account information, personal income details, etc.
  6. Location tracking information: any continuousand precise location tracking information, vehicle tracking, andpersonnel activity tracking, etc. However, location trackinginformation that is collected or otherwise processed in the contextof performing service contracts for specific occupations (e.g.,deliveryman and courier) will not be consideredsensitive.10
  7. Personal information of minors: any personalinformation of minors under the age of 14.
  8. Other sensitive personal information: anyprecise location information collected via the precise locationservices of personal mobile phone,11 ID card photos,sexual orientation, sex life, credit information, criminal recordinformation, photos or video showing private parts of anindividual's body, etc.

Helpful Clarifications in the Guidelines

Notably, some information that is generally considered sensitivesuch as credit records, transaction and consumption records, andweb browsing history have been excluded from the scope of sensitivepersonal information, which will reduce compliance costssignificantly for companies.

Under the Draft Guidelines, "location and trackinginformation" had been defined broadly to include "anyreal-time precise positioning information and GPS vehicletrajectory information", which has been the cause of afair degree of uncertainty given the breadth of thedefinition.12 The Guidelines now clarify that onlycontinuous precise positioning tracking information,vehicle driving tracking information, and personnel activitytracking information, etc. will be defined assensitive.13 Rough location information obtained from anIP address will not be classified as sensitive personalinformation. The Guidelines also excluded flight and high-speedtrain travel records from the list of examples of sensitivepersonal information.

Takeaway

The Guidelines clarify some pre-existing ambiguities inidentifying sensitive personal information. Companies are remindedto assess the "risk of harm" of the data they collect aswell as to refer to the example list to determine whether the datathey are processing shall be classified as sensitive personalinformation. While the Guidelines are non-binding, companies areadvised to review their data privacy policy and documents to ensurecompliance with the new identification rules.

The authors would like to thankRoslieLiu, Intellectual Property Officer at Mayer Brown, for herassistance with this Legal Update.

Footnotes

1 Full name of the Guidelines is "Practical Guidanceof Cybersecurity Standards – Classification Guidelines forSensitive Personal Information"

2 Original texts can be found here: https://www.tc260.org.cn/upload/2024-0918/1726621097544005928.pdf

3 Original texts can be found here: https://www.tc260.org.cn/front/postDetail.html?id=20240611204152

4 Article 29, the PIPL

5 Article 55, the PIPL

6 Article 3, the Guidelines

7 Article 3 (a), the Guidelines

8 Article 3 (b), the Guidelines

9 Article 4 and Appendix A, the Guidelines

10 Article 4 (f), the Guidelines

11 Note 6 of Appendix A, the Guidelines

12 Appendix A, the Draft Guidelines

13 Appendix A, the Guidelines

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprisingassociated legal practices that are separate entities, includingMayer Brown LLP (Illinois, USA), Mayer Brown International LLP(England & Wales), Mayer Brown (a Hong Kong partnership) andTauil & Chequer Advogados (a Brazilian law partnership) andnon-legal service providers, which provide consultancy services(collectively, the "Mayer Brown Practices"). The MayerBrown Practices are established in various jurisdictions and may bea legal person or a partnership. PK Wong & Nair LLC("PKWN") is the constituent Singapore law practice of ourlicensed joint law venture in Singapore, Mayer Brown PK Wong &Nair Pte. Ltd. Details of the individual Mayer Brown Practices andPKWN can be found in the Legal Notices section of our website."Mayer Brown" and the Mayer Brown logo are the trademarksof Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rightsreserved.

This Mayer Brown article provides information andcomments on legal issues and developments of interest. Theforegoing is not a comprehensive treatment of the subject mattercovered and is not intended to provide legal advice. Readers shouldseek specific legal advice before taking any action with respect tothe matters discussed herein.

PRC Guidelines On Identifying Sensitive Personal Information (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Rob Wisoky

Last Updated:

Views: 5692

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.